DEV Community: Johan Sydseter

The Cornucopia of Gamified Threat Modeling

Johan Sydseter — Tue, 24 Mar 2026 09:55:15 +0000

At the OWASP Cornucopia project, we are done with updating the cards and help pages for the Website App Edition v3.0: https://cornucopia.owasp.org/edition/webapp/VE2/3.0

We would like to thank everyone who contributed to the translations for the new version of the card game and welcome you to review the text on the help pages themselves. Are there inconsistencies? Is there something you feel should be added or removed? If you find anything, please don't hesitate to contact us or raise an issue. Each page includes a "View source on GitHub" button that lets you quickly edit the text if you aren't pleased with it. All viewpoints and critiques are welcome as we are trying to create a home for gamified threat modelling.

The new Website App Edition v3.0, available in 10 languages (EN, ES, FR, HI, NL, NO-NB, PT-PT, PT-BR, RU, UK), connects 202 CAPECs individually to a set of ASVS 5.0 requirements in relation to each of the cards. This means, even though you only have 80 cards, the website describes an exponential number of possible threats, making it the Cornucopia of website app threats. There is simply no end to the possibilities that your thoughts can take you while playing the game, yes, that's the Cornucopia way.
But what if you want to focus on a specific CAPEC and find the related OWASP ASVS requirements?
Go to a card, click on the CAPEC in the CAPEC map, and it will give you all the possible OWASP ASVS combinations, thereby connecting attack patterns and security requirements, making a thorough and deep website security requirement analysis possible while discussing a specific card. You can literally spend weeks analysing, playing, deciding for yourself "What can go wrong?", "What to do about it?", and even form yourself an opinion on whether you really did a good job (see: Shostack's Four Question Frame for Threat Modeling).

Have we stopped there? Now we haven't! For each card, you also have the "OWASP Cheat Sheet Series Index". What is that? The "OWASP Cheat Sheet Series Index" is an OWASP index that connects each of the ASVS requirements with a set of OWASP Cheat Sheets that will give you advice on how to implement the specific OWASP ASVS requirement! Want to know how to do log protection according to "OWASP ASVS V16.4 - Log Protection"? No problem! The "OWASP ASVS (5.0) Cheat Sheet Series Index" displayed on the help pages for each card will take you to the collection of OWASP Cheat Sheets that is related to the requirement you are wondering about.

But there is even more! What about STRIDE? What about Threat Modeling? Each card has a STRIDE section, a "What can go wrong?" section and a "What are we going to do about it?" section.

This means that during your threat modeling, if you have questions about "What can go wrong?" or "What are we going to do about it?" Just go to the individual card pages, and you will find what you are looking for!

Now, you may be asking yourself, "That's it, right? No, it isn't, we have even moooooooore!

Threat Dragon and EoP Games

When choosing a tool for publishing our threat model, we chose OWASP Threat Dragon. OWASP Threat Dragon is a free, open-source, cross-platform threat modeling application. It is used to create threat modeling diagrams and list threats for elements within the diagrams. Mike Goodwin created Threat Dragon as an open-source community project that provides an intuitive, accessible way to model threats.

OWASP Threat Dragon has released this possibility in v2.6. This is just the start of integration between the two projects.

Thanks to Gerardo Canedo and his students at Universidad Católica del Uruguay, it's now possible to create your OWASP Cornucopia Threat Model directly in OWASP Threat Dragon. When creating a new diagram for your threat model, simply choose to create an EoP Games diagram. We chose to call the diagram EoP Games for two reasons. One, OWASP Cornucopia is derived from the Elevation of Privilege game created by Adam Shostack. Two, we don't want to stop with OWASP Cornucopia. We also want to add other EoP games, such as the original EoP Game.

Once you have created an EoP Games diagram, you can add OWASP Cornucopia threats to your threat model. The specific threat you add will get a link reference to the OWASP Cornucopia website, where you will find guidance on threat modeling and STRIDE, which will help you in identifying what can go wrong and what to do about it. You can also find a complete mapping to OWASP ASVS, OWASP Developer Guide, and all relevant CAPECs.

I want to express my sincere appreciation to Gerardo Canedo, Sebastian Feirres, and their students at Universidad Católica del Uruguay for making this possible. With their dedication and effort, OWASP Cornucopia wouldn’t have had this possibility.

Shostack's 4 Question Frame for Threat Modeling

OWASP Cornucopia, together with OWASP Threat Dragon, is helping us in answering:

What we are working on
What can go wrong?
What are we going to do about it?

...but "Did we do a good enough job?"

At Admincontrol, where I work, we have always sent an anonymous survey after every OWASP Cornucopia threat modeling session. The aggregate score for how satisfied respondents have been with all sessions we've held since we started OWASP Cornucopia in 2023 is 4.5 out of 5. When asked how relevant the session was to the participant's job, the average score was 4.7 out of 5. When asked whether the OWASP Cornucopia session helped the participants understand which security controls (mitigations) they need to implement/test, the score was 4.5. When asked whether the session improved the overall awareness of application security requirements, the score was 4.0. When asked, "Did we do a good job?", the score was 4.3. So for sure, we can do better!

When asking the question, "Did we do a good enough job?", don’t just blurt it out during a session. Do you honestly think people will give you their honest criticism to your face directly? Send out an anonymous survey and ask for feedback!

How to get those requirements into your issue tracking software

So you have done your threat modeling and security requirement analysis, what comes next? You need to create an issue that the development team can work on, and you need to add it to the development team's sprint. How do you do it?
The OWASP Cornucopia project is creating a requirements API that lets you harvest the security requirements you want. After you have created your threat model in OWASP Threat Dragon, extract its JSON response, look up the threats you have identified, and find the corresponding security requirements by using the API, merge the results together, and generate your evil user stories by pushing the results to your issue tracking software just in time for the development team's next sprint.

How to get OWASP Cornucopia?

The question you might be asking yourself is, "How are we going to be able to utilize these resources and play this game?" No problem! There are various ways you can do that, both online at copi.owasp.org and in person, enjoying the presence of your colleagues, by buying a deck of cards.

What is coming next...

But what about DevOps? What about LLM and AI Agents? We are working on that too. The new OWASP Cornucopia Companion Edition, that soon will be published, can be used alongside the OWASP Website App Edition and it comes with 6 new companion suits covering new topics: Agentic AI (AAI), Automated Threats (BOT), Cloud (CLD), Frontend (FRE), Large Language Models (LLM), and DevOps (DVO). A suit in the companion deck may replace (or be used in addition to) suites in the existing Website Edition so that the players can add a specific focus to their threat modeling: For example, say you are building an LLM application and want to perform threat modeling specifically for LLM. You would then use the OWASP Cornucopia Website Edition and the LLM companion suite as your elected OWASP Cornucopia focus area.

OWASP Cornucopia welcomes any input or improvements you might be willing to share with us. For anyone wanting to share their opinion, please don't hesitate to visit our repository, share your feedback, and, if appropriate, give us a star⭐️.

OWASP is a non-profit foundation that envisions a world with no more insecure software. Our mission is to be the global open community that powers secure software through education, tools, and collaboration. We maintain hundreds of open source projects, run industry-leading educational and training conferences, and meet through over 250 chapters worldwide.

OWASP Cornucopia is publishing it’s darkest secrets!

Johan Sydseter — Mon, 16 Feb 2026 06:39:00 +0000

Why do we keep our darkest fears secret? Publish them, and bring light to the darkest corners of your web application.

When Adam Schostack + associates last year urged everyone to publish their threat model, we thought, «What a wonderful idea!»

So we went ahead and did just that. At cornucopia.owasp.org, you can now find the threat model for the OWASP Cornucopia Game Engine, Copi.
There we have listed all our darkest fears and secrets. Darkness is not a force of its own; it is simply the absence of light. When light is shed on our doubts and fears, making them visible, we find solutions and become stronger. This is why publishing your threat model is essential. If you refuse to disclose your vulnerabilities to anyone, they become liabilities that may one day lead to doubts, lies, and perhaps even conspiracies and litigation. Therefore, before building software, build trust and make it clear what others need to be aware of.

Threat Dragon and EoP Games

OWASP Threat Dragon will release this possibility in v2.6, which is due to be released in week 9, but already now, you can try it out on their demo site. This is just the start of integration between the two projects; more is to come. OWASP Threat Dragon V2.6 will come out with all sorts of exciting features. For a full list, have a look at their current v2.6 roadmap.

Shostack's 4 Question Frame for Threat Modeling

OWASP Cornucopia, together with OWASP Threat Dragon, is helping us in answering:

What we are working on
What can go wrong?
What are we going to do about it?

...but "Did we do a good enough job?"

OWASP Cornucopia welcomes any input or improvements you might be willing to share with us regarding our current threat model. Arguably, we created the system before we were able to identify all our threats, and several improvements need to be made to properly balance the inherent risks of compromise against the current security controls. For anyone hosting the game engine, please take this into account. For anyone wanting to share their opinion, please don't hesitate to visit our repository, share your feedback, and, if appropriate, give us a star⭐️.

Are you the next card game designer for OWASP Cornucopia Website Edition v3.0? Then get in touch with us for fame and glory!

Johan Sydseter — Thu, 13 Nov 2025 14:38:16 +0000

Johan Sydseter for OWASP® Foundation

Nov 13 '25

OWASP Cornucopia 3.0 - A call for card game designers!

#gamedev #security #design #webdev

Comments

2 min read

OWASP Cornucopia 3.0 - A call for card game designers!

Johan Sydseter — Thu, 13 Nov 2025 12:24:59 +0000

Would you like to be our card game designer for the OWASP Cornucopia Website Edition v3.0?

We are close to releasing the next version of OWASP Cornucopia Website Edition v3.0

We wonder whether there are some brilliant designers out there who would like to volunteer to create the motifs for the 80 cards in OWASP's very popular threat modeling card games for website applications?

OWASP® Cornucopia is a threat modeling tool in the form of a card game to assist software development teams in identifying security requirements in Agile, conventional, and formal development processes. It strives to be language, platform, and technology-agnostic.

It’s one of the few tools that connects threat modeling with OWASP ASVS, SAFECode, STRIDE, OWASP DevGuide, and CAPEC, helping to identify security requirements, develop a secure design, and create a threat model without prior knowledge of these frameworks.

We are now creating the next version of the website app game. The new version will feature new cards and text that cover all of the requirements in OWASP ASVS 5.0 and connect these to more than 210 unique common attack patterns (CAPEC).

The first edition was created in August 2012, released as v1.0 in February 2013, and has undergone several minor updates/releases over the subsequent ten years. This has been substantially updated in today’s release of v3.0, with the most noticeable change being the update of the OWASP ASVS mapping from ASVS v4.0 to v5.0. The card game comes in two physical sizes. The smaller ones are often referred to as “bridge-sized cards” and the larger ones as “Tarot-sized cards”. All these v3.0 files will be immediately available in nine languages (English, Spanish, French, Dutch, Norwegian, Portuguese, Italian, Russian, and Hungarian) due to the efforts of past and current volunteers.

Don't hesitate to get in touch with us for fame and glory.

Uncover the security flaws in your software's design before the bad guys do it for you! Get your team together on a call or in a room and use OWASP Cornucopia Web & Mobile, Elevation of Privilege or Elevation of MLSec and OWASP Cumulus to secure your AI models and Cloud infrastructure respectively and guide your threat modelling at copi.owasp.org, and if you visit our code repository please give us a star ⭐️.

[Boost]

Johan Sydseter — Wed, 08 Oct 2025 20:02:20 +0000

How do you get your dev team to shift left by themselves for real?

Johan Sydseter for OWASP® Foundation ・ Oct 3

#devops #security #ai #gamedev

Shift-left doesn't start with scanning the code for security vulnerabilities; it begins with designing it. Play yourself secure with OWASP Cornucopia Website Edition v2.2

Johan Sydseter — Sat, 04 Oct 2025 15:29:03 +0000

How do you get your dev team to shift left by themselves for real?

johan sydseter for OWASP® Foundation ・ Oct 3

#devops #security #ai #gamedev

How do you get your dev team to shift left by themselves for real?

Johan Sydseter — Fri, 03 Oct 2025 07:12:03 +0000

Shift-left doesn't start with scanning the code for security vulnerabilities; it begins with designing it. Play yourself secure with OWASP Cornucopia Website Edition v2.2

Too often the shift-left mantra consists of implementing AI code scanning and applying AI-powered security fixes for remediation. Also, don't forget to implement the AI-powered benchmark for AI-Powered Security Fixes. We're not telling you to stop using these tools, instead, we want to ask ourselves:

What are we working on?
What can go wrong?
What are we going to do about it?
Did we do a good job?

Source: Shostack's Four Question Frame for Threat Modeling

Secure design starts with understanding what we are working on, asking what can go wrong and what we are going to do about it. I'll leave that to the AI-assistants you say?
Before you do, know that the "2025 GenAI Code Security Report" from Veracode shows that after a comprehensive analysis of over 100 large language models across 80 coding tasks spanning four programming languages and four critical vulnerability types, only 55% of AI-generated code was secure (AI-Generated Code: A Double-Edged Sword for Developers, 09.09.2025). We don't doubt that, eventually, the machines will take over the world, but in the mean time, don't forget to ask yourself what can go wrong.

And what does the industry standard for infosec management say about writing secure code?

If you happen to be ISO 27001 certified and are writing code, you should know that the control you have called: "ISO 27002: 8.28 Secure coding", says that: "Planning and prerequisites before coding should include: ... g) secure design and architecture, including threat modelling".

But, how can you possible do that in an agile and fun way?

Visit copi.owasp.org and play OWASP Cornucopia, Elevation of MLSec, Elevation of Privilege or OWASP Cumulus with your team.
Games aren't just for fun, they can be serious tools too, and that is what we are doing with OWASP Cornucopia. We are making threat modeling for everyone, everywhere, and we have a special love for agile teams that want to do continuous threat modeling as part of their development sprints. Don't believe us? See how long-time project contributor Max Alejandro Gómez Sánchez Vergaray has created a video to explain how he has trained hundreds of teams to use OWASP Cornucopia in abuse case modelling sessions at a major international bank. This approach has scaled to over two-thousand developers to date.

In our next version of OWASP Cornucopia Website App Edition version 2.2 we have a special treat for you. We have gathered together all our threat modeling expertise, created threat modeling scenarios for each card and analyzed which STRIDE categories each of these scenarios belong to. If you have bought a OWASP Cornucopia deck with QR codes you can now give your team advice on threat scenarios, threat vectors, attack patterns, mitigation strategies and STRIDE when playing the game by letting them scan the QR codes on each card. Each scenario follows "Shostack's Four Question Frame for Threat Modeling" making it easy for your security champions to come up with the threats and mitigations themselves.
In addition, we have added additional CAPECs that corresponds to each card and added references to the OWASP Developer Guide's Web Application Checklist that will link your threat modeling to OWASP secure coding practices and the OWASP Top 10 Proactive controls, this, thanks to Jon Gadson from the OWASP Developer Guide project.

We are just getting started, in fact, this is just the first step. We will continue to bring threat modeling to everyone, everywhere, and will continue to do so in the time to come.
Next time we will also talk about the last question: "Did we do a good job?"
Why? Because we want the game to be used in iterative security processes that involves continually adapting security measures in cycles to identify, address, and reassess threats and vulnerabilities, making continuous improvements rather than a one-time fix.

Stay tuned.

How to use OWASP Cornucopia cards together with the OWASP Cornucopia website

A - Preparations
- A1. Obtain a deck, or print your own Cornucopia deck and separate/cut out the cards
- A2. Identify an application or application process to review; this might be a concept, design or an actual implementation
- A3. Create a data flow diagram, user stories, or other artefacts to help the review
- A4. This will help answer the question: "What are we working on"
- A5. Identify and invite a group of 3-6 architects, developers, testers and other business stakeholders together and sit around a table (try to include someone fairly familiar with application security)
- A6. Have some prizes to hand (gold stars, chocolate, pizza, beer or flowers depending upon your office culture). See our "Prizes and Swags" section for ideas.
B - Play
One suit - Cornucopia - acts as trumps. Aces are high (i.e. they beat Kings). It helps if there is someone dedicated to documenting the results who is not playing.
- B1. Remove the Jokers and a few low-score (2, 3, 4) cards from Cornucopia suit to ensure each player will have the same number of cards
- B2. Shuffle the pack and deal all the cards
- B3. To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
- B4. To play a card, each player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
- B5. B5. If a player get stuck, ask them to scan the QR code on the card to access the online card page and read the section called: "What can go wrong?" or click the "more info" links if playing Copi (the online Cornucopia version) or just browse the card from the deck at cornucopia.owasp.org while playing
- B6. Play clockwise, each person must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the trump suit Cornucopia, wins the hand
- B7. The person who wins the round, leads the next round (i.e. they play first), and thus defines the next lead suit
- B8. Repeat until all the cards are played
C - Scoring
The objective is to identify applicable threats, and win hands (rounds)
- C1. Score +1 for each card you can identify as a valid threat to the application under consideration
- C2. Score +1 if you win a round
- C3. Once all cards have been played, whoever has the most points, wins
D - Closure
- D1. Review all the applicable threats and the matching security requirements.
- D2. Ask the group: "What are we going to do about it?". Use the QR codes on the physical cards or "more info" links if playing Copi and read the "What are we going to do about it?" section
- D3. Create user stories, specifications and test cases as required for your development methodology and add them directly into your issue tracking software under the what you are working on

At OWASP Cornucopia we have long stated that we will create more decks, and now we will!

Johan Sydseter — Thu, 07 Aug 2025 06:56:03 +0000

johan sydseter for OWASP® Foundation

Aug 6 '25

OWASP Cornucopia Companion Edition

#appsec #cybersecurity #gamedev #security

Comments

2 min read

OWASP Cornucopia Companion Edition

Johan Sydseter — Wed, 06 Aug 2025 14:35:30 +0000

At OWASP Cornucopia we have long stated that we will create more decks, and now we will!

To provide more possibilities for doing threat modeling while playing games, OWASP Cornucopia would like to welcome all OWASP members and OWASP Cornucopia enthusiasts to create the OWASP Cornucopia companion deck!

The companion deck will contain a number of optional card enhancements - each one a single suit covering a particular application security topic, and intended to be used in conjunction with the existing OWASP Cornucopia Website Edition. A suit in the companion deck may be used to replace a suit in the existing Website Edition, so that the players can add a specific focus for their threat modeling.

For example, say you are building an IoT application and want to perform threat modeling specifically for IoT. If that is the case, you can use the OWASP Cornucopia Website Edition together with the IoT companion suit as your elected OWASP Cornucopia focus area.

Each of the attacks on the cards belonging to the various suits will showcase AppSec requirements from different OWASP projects and beyond, commemorating and celebrating the 25th anniversary of the OWASP Foundation next year. In addition, we would like the case, the leaflet with the instructions, and the face of the cards to be illustrated for this very same purpose.

Join us to take gamified threat modeling to the next level and celebrate the OWASP Foundation's achievements within application security worldwide. We welcome suggestions on what the focus areas of the extension suits in the companion deck should be, which OWASP projects are most relevant for these, and contributors to write the attacks for each card. We are thinking of up to six companion deck suits. Get in touch….

Github: https://github.com/OWASP/cornucopia/discussions/1548
Linkedin: https://www.linkedin.com/in/sydseter/
Bluesky: https://bsky.app/profile/sydseter.com
Mastodon: https://mastodon.social/@sydseter

Learn how to play OWASP Cornucopia or Elevation of Privilege:

No need to fear the clouds. Play OWASP Cumulus!

Johan Sydseter — Thu, 26 Jun 2025 09:32:39 +0000

The clouds can be a scary place. All these machines that simply aren't yours. So, how can you make sure you continuously keep your cloud infrastructure secure? OWASP Cumulus is the easy way to bring security into the cloud and your DevOps teams. Play it at copi.owasp.org thanks to Christoph Niehoff and OWASP Cumulus!

As a variant of the card game Elevation of Privilege it follows the idea to threat model a system via gamification. This lightweight and low-barrier approach helps you find threats to your DevOps or cloud project and teaches the developers a security oriented mindset.

Threat Modeling

The idea of threat modeling via serious games goes back to the card game Elevation of Privilege by Adam Shostack. The basic idea is to bring the developers to the table and get them start discussing the security of their system. For this, a card game serves as a guide through a catalogue of threats. It is designed to be low-barrier and naturally embeddable within agile development processes.

While we at OWASP Cornucopia have been focusing on creating games focused on web- and mobile application security, we have felt that the specific needs of the DevOps team working in cloud environments have been missing. OWASP Cumulus seeks to fill this gap and provides a custom card deck with threats to cloud systems.

Continuously Assessing your Security

The point here is not do just do your initial security risk assessment and be done with it, but to continuously look for new threats on a regular basis as you expand your infrastructure according to the Threat Modeling Manifesto.

"Continuous Threat Modeling", a term described in "Threat Modeling: A Practical Guide for Development Teams" by Izar Tarandach & Matthew J. Coles is essential to keep your applications and infrastructure secure as you expand your system with new features and machines and increase the attack surface. Gamifications can help getting started doing just that. So why would you want to continuous threat model your infrastructure and applications? Isn't it enough just to do a thorough and deep check up now and then? At Admincontrol, where I work, we thought so as well!

At Admincontrol, we where using threat modeling to threat model our applications. We have been having a large session that we only are able to do once a year, and several smaller sessions that we do for each sprint. We define Jira issues meant for mitigating these threats and assign them directly to the development team's backlog. Then we have security backlog grooming once a month with the product owners and discuss directly with them how we can get these issues resolved.

The first graph shows the resolution time for the Jira issues that are created based on the threat modeling session we do once a year. The second graph shows the resolution graph for Jira issues for the threat modeling that we do each sprint.

Graph 1:

Graph 2:

As you can see, in the first graph, the resolution time is just increasing. This is because we have Jira issues that are defined but never resolved. Some of the issues have taken close to 3 years to resolve!

The second graph shows a bump where the resolution time spikes. This is because we had a component that didn't get finalized. It stayed on the drawing bord, but the threat modeling was done so the resolution time spiked. We have no data before 2023 as we didn't do this type of threat modeling before 2023. On average, the resolution time for the short threat modeling sessions is ca. 3 months. This usually coincides with the frequency of our minor releases that contains new features.

Conclusion

If you do long and large sessions, you run the risk of both doing threat modeling irregularly, meaning that you will have issues you never are able to solve, and having issues meant to improve the security staying in the development team's backlog forever, never to see the light of day. If you think that technical debt is scary, wait until you get to see your security debt. Not assessing how your security is doing on a regular basis isn't only very expensive, it can leave you open for threats as well. This is why continuous threat modeling is so important. Don't let your business spiral out of control, consciously assess how you are doing by continuously threat model your applications and infrastructure.